Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Loader.exe

Overview

General Information

Sample name:Loader.exe
Analysis ID:1627644
MD5:a577dfb3dc2763f1e6bf0744e42e4060
SHA1:bb88662b086bdcb7f2a580e084f59c2eb8dd87a8
SHA256:183f32b9a6a28b7c1eaae2a07ca92b5e7bada7b7231fcbc7d48b43446c021683
Tags:exeuser-Bastian455
Infos:

Detection

Score:80
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64
  • Loader.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\Loader.exe" MD5: A577DFB3DC2763F1E6BF0744E42E4060)
    • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6660 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • certutil.exe (PID: 1892 cmdline: certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)
      • find.exe (PID: 6512 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
      • find.exe (PID: 6292 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
    • cmd.exe (PID: 2848 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • WerFault.exe (PID: 1784 cmdline: C:\Windows\system32\WerFault.exe -u -p 6468 -s 484 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Loader.exeVirustotal: Detection: 26%Perma Link
Source: Loader.exeReversingLabs: Detection: 23%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_01bb218d-d
Source: unknownHTTPS traffic detected: 172.67.133.190:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewIP Address: 104.26.1.5 104.26.1.5
Source: Joe Sandbox ViewJA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: download.simpletoolz.fun
Source: global trafficDNS traffic detected: DNS query: keyauth.win
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.thawte.com0
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Loader.exe, 00000000.00000002.2645723910.00000000022FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.jso
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.json
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.json.dll
Source: Loader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.simpletoolz.fun/blacklist/blacklist.jsonxe
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.3/
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.3/T
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.3/j
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownHTTPS traffic detected: 172.67.133.190:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 484
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiQVW64.SYSH vs Loader.exe
Source: classification engineClassification label: mal80.evad.winEXE@15/1@2/3
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_03
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\e46ce1de-d58a-4a69-aeb3-0fead5b08ed0Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Loader.exeVirustotal: Detection: 26%
Source: Loader.exeReversingLabs: Detection: 23%
Source: unknownProcess created: C:\Users\user\Desktop\Loader.exe "C:\Users\user\Desktop\Loader.exe"
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6468 -s 484
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: certca.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\certutil.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
Source: Loader.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Loader.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: Loader.exeStatic file information: File size 42460160 > 1048576
Source: Loader.exeStatic PE information: Raw size of .stz2 is bigger than: 0x100000 < 0x287c800
Source: Binary string: c:\users\cloudbuild\337244\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .stz2
Source: Loader.exeStatic PE information: section name: .stz0
Source: Loader.exeStatic PE information: section name: .stz1
Source: Loader.exeStatic PE information: section name: .stz2

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\Loader.exeMemory written: PID: 6468 base: 7FF8C8A50008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeMemory written: PID: 6468 base: 7FF8C88ED9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeMemory written: PID: 6468 base: 7FF8C8A6000D value: E9 BB CB EB FF Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeMemory written: PID: 6468 base: 7FF8C891CBC0 value: E9 5A 34 14 00 Jump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Loader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\Desktop\Loader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OLLYDBG.EXE
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: X64DBG.EXE
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: YQBX64DBG.DLLX32DBG.DLLX64_BRIDGE.DLLX64_DBG.DLLOLLYDBG.EXEX64DBG.EXEX64DBG-UNSIGNED.EXEX96DBG.EXEX64GUI.DLLX64BRIDGE.DLLX32DBG.EXEX32_BRIDGE.DLLX32_DBG.DLLX32BRIDGE.DLLX32GUI.DLLX96_BRIDGE.DLLX96_DBG.DLLX96BRIDGE.DLLX96GUI.DLLX96DBG.DLLX86_BRIDGE.DLLX64_DBG.DLLGELION-KEYAUTH-ONLY.DLLBROCESSRACKER.SIGPREV1.SYSHOOKLIBRARYX64.DLLHOOKLIBRARYX86.DLLSCYLLATEST_X64.EXESCYLLATEST_X86.EXEBROCESSRACKER.EXEX64DBGSCYLLA.DLLPYTHON64.DLLSCYLLAHIDE.DLL
Source: C:\Users\user\Desktop\Loader.exeSpecial instruction interceptor: First address: 143A58305 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\Loader.exeSpecial instruction interceptor: First address: 143A58341 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\Loader.exeWindow / User API: threadDelayed 1006Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeWindow / User API: threadDelayed 8958Jump to behavior
Source: C:\Users\user\Desktop\Loader.exe TID: 6300Thread sleep time: -45000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Loader.exeThread delayed: delay time: 45000Jump to behavior
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: )vmware.dllVBoxHook.dlldbgeng.dllImDbg.dlldbgsvc.dllunpacker.exevmmem.dllVBoxRT.dlllibdwarf.dllVBoxSVC.dllVBoxOGL.dllVBoxDD.dllvboxdrv.sysHyperV.dllsandboxie.dllsandboxiedll.dllwin32_user64.dllgolang64.dllpdb64.dllqemu.dllkvm.dlldocker.dllcitrix.dllbluestacks.dllnox.dllgenymotion.dllmemu.dllvagrant.dllcygwin1.dllwsl.dllTitanEngine.dllScylla.dllScylla_x64.dllsymsrv.dllollydbg.dllida.dllida64.dlldbg64.dlldwarf64.dllidapython.dllidasdk.dllimmdbg.dlldnSpy.dllghidra.dllghidra64.dlljeb.dllprocdump.dllprocesshacker.dllwdbgexts.dlldebugevent.dllvehdebug-x86_64.dlldbghelp_x64.libdbghelp_x64.adbghelp.h_dbgfunctions.hDbgModelClient.dllfrida.dllfrida-agent.dlldbgmodel.dllx86_dbg.dllx86bridge.dllx86gui.dllx86dbg.dllVZZ^^ZZVV**..**66::>>::66*
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: VBoxHook.dll
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: qemu.dll
Source: Loader.exeBinary or memory string: vMcIwy
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vmware.dll
Source: Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Loader.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\Loader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\Loader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\Loader.exeHandle closed: DEADC0DE
Source: C:\Users\user\Desktop\Loader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\Loader.exeNtQuerySystemInformation: Direct from: 0x141E2FAE6Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtSetInformationProcess: Direct from: 0x1439B6296Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtUnmapViewOfSection: Direct from: 0x14399D784Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x143992536Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQueryInformationProcess: Direct from: 0x1436B79B6Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x141E3826DJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQueryInformationProcess: Direct from: 0x143334132Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQueryInformationProcess: Direct from: 0x143A4EE5EJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x1436CB381Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQuerySystemInformation: Direct from: 0x143A4A4BAJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQueryInformationProcess: Direct from: 0x1439AB65BJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQueryInformationProcess: Direct from: 0x143A4C33BJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtMapViewOfSection: Direct from: 0x1436C8DB7Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtSetInformationThread: Direct from: 0x141E49F73Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x1432FFFEDJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQuerySystemInformation: Direct from: 0x1433316A0Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtQuerySystemInformation: Direct from: 0x143971322Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtOpenFile: Direct from: 0x143979827Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Indirect: 0x141DF7489Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x141E501A6Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtClose: Direct from: 0x143A4F7D8
Source: C:\Users\user\Desktop\Loader.exeNtQuerySystemInformation: Direct from: 0x143980F7CJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x143341EC6Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x143A2A71AJump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtProtectVirtualMemory: Direct from: 0x1433145F6Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeNtSetInformationThread: Direct from: 0x141E49C21Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c clsJump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"Jump to behavior
Source: C:\Users\user\Desktop\Loader.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "md5" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i /v "certutil"Jump to behavior
Source: Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ollydbg.exe
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
221
Virtualization/Sandbox Evasion
1
Credential API Hooking
521
Security Software Discovery
Remote Services1
Credential API Hooking
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism
11
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop Protocol1
Archive Collected Data
1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
Security Account Manager221
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets12
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Loader.exe26%VirustotalBrowse
Loader.exe24%ReversingLabsWin32.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://download.simpletoolz.fun/blacklist/blacklist.json.dll0%Avira URL Cloudsafe
https://download.simpletoolz.fun/blacklist/blacklist.json0%Avira URL Cloudsafe
https://download.simpletoolz.fun/blacklist/blacklist.jsonxe0%Avira URL Cloudsafe
https://download.simpletoolz.fun/blacklist/blacklist.jso0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
keyauth.win
104.26.1.5
truefalse
    high
    download.simpletoolz.fun
    172.67.133.190
    truefalse
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      https://curl.se/docs/hsts.htmlLoader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpfalse
        high
        https://download.simpletoolz.fun/blacklist/blacklist.json.dllLoader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://keyauth.win/api/1.3/jLoader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://download.simpletoolz.fun/blacklist/blacklist.jsoLoader.exe, 00000000.00000002.2645723910.00000000022FC000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://keyauth.win/api/1.3/Loader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://download.simpletoolz.fun/blacklist/blacklist.jsonLoader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://curl.se/docs/alt-svc.htmlLoader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpfalse
              high
              http://crl.thawte.com/ThawteTimestampingCA.crl0Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpfalse
                high
                https://curl.se/docs/http-cookies.htmlLoader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpfalse
                  high
                  http://ocsp.thawte.com0Loader.exe, 00000000.00000002.2645911033.0000000140103000.00000002.00000001.01000000.00000003.sdmpfalse
                    high
                    https://download.simpletoolz.fun/blacklist/blacklist.jsonxeLoader.exe, 00000000.00000002.2645466692.000000000043C000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://keyauth.win/api/1.3/TLoader.exe, 00000000.00000002.2645466692.0000000000452000.00000004.00000020.00020000.00000000.sdmpfalse
                      high
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      104.26.1.5
                      keyauth.winUnited States
                      13335CLOUDFLARENETUSfalse
                      172.67.133.190
                      download.simpletoolz.funUnited States
                      13335CLOUDFLARENETUSfalse
                      IP
                      127.0.0.1
                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1627644
                      Start date and time:2025-03-03 01:26:37 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 43s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Run name:Run with higher sleep bypass
                      Number of analysed new started processes analysed:13
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:Loader.exe
                      Detection:MAL
                      Classification:mal80.evad.winEXE@15/1@2/3
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                      • Stop behavior analysis, all processes terminated
                      • Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 13.107.246.60, 20.109.210.53
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      No simulations
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      104.26.1.5http://adarsh389.github.io/adarsh.instagram/Get hashmaliciousHTMLPhisherBrowse
                        EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                          PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                            tpmbypassprivatestore.exeGet hashmaliciousUnknownBrowse
                              SPOOOFER776.exeGet hashmaliciousUnknownBrowse
                                PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                  CCuITQzvd4.exeGet hashmaliciousUnknownBrowse
                                    dMFmJxq6oK.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exeGet hashmaliciousUnknownBrowse
                                        SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exeGet hashmaliciousUnknownBrowse
                                          172.67.133.190SecuriteInfo.com.Trojan.MulDrop27.59761.17282.9521.exeGet hashmaliciousUnknownBrowse
                                            SecuriteInfo.com.Win64.HacktoolX-gen.10384.15523.exeGet hashmaliciousUnknownBrowse
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              download.simpletoolz.funSecuriteInfo.com.Trojan.MulDrop27.59761.17282.9521.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              SecuriteInfo.com.Win64.HacktoolX-gen.10384.15523.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              keyauth.windivined unlocker.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.0.5
                                              SecuriteInfo.com.Win64.Trojan.Agent.SPKBLR.21082.13583.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.0.5
                                              SecuriteInfo.com.Win64.Trojan.Agent.SPKBLR.21082.13583.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.72.57
                                              main.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.0.5
                                              EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.1.5
                                              SPOOOFER776.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.0.5
                                              PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.1.5
                                              AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.72.57
                                              EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.0.5
                                              tpmbypassprivatestore.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.1.5
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSsite-drive.com-la-pelicula-titanic-en-espaol_205376.exeGet hashmaliciousUnknownBrowse
                                              • 104.18.18.170
                                              SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exeGet hashmaliciousUnknownBrowse
                                              • 172.64.41.3
                                              SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.137.87
                                              418Wtr75920.svgGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.95.41
                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 188.114.97.3
                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.67.74.152
                                              striped.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.92.126
                                              SecuriteInfo.com.Win64.MalwareX-gen.24714.14996.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.181.118
                                              cf.htaGet hashmaliciousUnknownBrowse
                                              • 104.21.48.75
                                              CLOUDFLARENETUSsite-drive.com-la-pelicula-titanic-en-espaol_205376.exeGet hashmaliciousUnknownBrowse
                                              • 104.18.18.170
                                              SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exeGet hashmaliciousUnknownBrowse
                                              • 172.64.41.3
                                              SecuriteInfo.com.Trojan.Inject5.17530.4675.11921.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.137.87
                                              418Wtr75920.svgGet hashmaliciousHTMLPhisherBrowse
                                              • 104.18.95.41
                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 188.114.97.3
                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.67.74.152
                                              striped.exeGet hashmaliciousLummaC StealerBrowse
                                              • 104.21.92.126
                                              SecuriteInfo.com.Win64.MalwareX-gen.24714.14996.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.181.118
                                              cf.htaGet hashmaliciousUnknownBrowse
                                              • 104.21.48.75
                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              bd0bf25947d4a37404f0424edf4db9ad1.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              setup.msiGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              5bf784.msiGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              34.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              11.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              BundleInstaller.dll.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              SecuriteInfo.com.Win64.Trojan.Agent.SPKBLR.21082.13583.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              thIrHnhL2S.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              thIrHnhL2S.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              Spotify.exeGet hashmaliciousUnknownBrowse
                                              • 172.67.133.190
                                              • 104.26.1.5
                                              No context
                                              Process:C:\Users\user\Desktop\Loader.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):182
                                              Entropy (8bit):4.762778148056286
                                              Encrypted:false
                                              SSDEEP:3:c+yQIFYH7NAVdL3C+C5OKDWuJrlABFq6+yWeWiovqMmR5H:cW4qBcdLbCUKKGZAlWLyd3H
                                              MD5:CE8E6D138D918C04F02E700EF9D91B3E
                                              SHA1:71EE14578EE056B5BD6686120CF24988DAA467CE
                                              SHA-256:99495B7D91032CA828945E0C75AF2E47758E29EA7EA6EB54B784C42094FBF916
                                              SHA-512:F1252B5899F0AF6D397D3E157077D0A7E83CD9D73BB267F13B078F9D78CF60B4983E25429EE3B804EA838481C390C1EECF4F14931435FE347D332C2B59065EC3
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..[+] Product: External V2 Loader..Please wait.........Initialising Pre Auth Checks..[+] Secure Boot is disabled.....Passed Initial Checks!! ..Continuing Now..Initialise Successfull
                                              File type:PE32+ executable (console) x86-64, for MS Windows
                                              Entropy (8bit):7.852850991195054
                                              TrID:
                                              • Win64 Executable Console (202006/5) 92.65%
                                              • Win64 Executable (generic) (12005/4) 5.51%
                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                              • DOS Executable Generic (2002/1) 0.92%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Loader.exe
                                              File size:42'460'160 bytes
                                              MD5:a577dfb3dc2763f1e6bf0744e42e4060
                                              SHA1:bb88662b086bdcb7f2a580e084f59c2eb8dd87a8
                                              SHA256:183f32b9a6a28b7c1eaae2a07ca92b5e7bada7b7231fcbc7d48b43446c021683
                                              SHA512:73b153439aac1dc950a4dc386df66d5a04f3dbbd7d445ca2c8baa459d80693a6c3fec1a2d1e7cbe8b8676774a9870513fc455a060c08cce4fd00313d6906bf98
                                              SSDEEP:786432:bouej2TlWEIqic7TgqvIZzXEQt6fKj6IHr7/ZVaLgsW22FRPVCsY:E7aZWW7UqQhXPGY6mr+Lg82nPYsY
                                              TLSH:1C9723DB69E5A2E4D0D3890466CF12D9A0C1787DC5EE9D6C1DC768032530CEBDA8E8B7
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..........#....*......2.......2........@..............................i........... ................................
                                              Icon Hash:90cececece8e8eb0
                                              Entrypoint:0x143321385
                                              Entrypoint Section:.stz2
                                              Digitally signed:false
                                              Imagebase:0x140000000
                                              Subsystem:windows cui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x67C3C917 [Sun Mar 2 02:57:27 2025 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:6
                                              OS Version Minor:0
                                              File Version Major:6
                                              File Version Minor:0
                                              Subsystem Version Major:6
                                              Subsystem Version Minor:0
                                              Import Hash:4b064086ec01b6a415482ae891b03beb
                                              Instruction
                                              pushfd
                                              push ebx
                                              call 00007F07AB2E72D6h
                                              pop ebx
                                              jnbe 00007F07AC7D11A2h
                                              sbb eax, 325172E0h
                                              xlatb
                                              xor edx, ebx
                                              add dl, bh
                                              or al, BFh
                                              leave
                                              cmp dh, dl
                                              xchg eax, ebp
                                              xchg eax, edx
                                              das
                                              salc
                                              push es
                                              retf C000h
                                              dec ebx
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x332f2280x244.stz2
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x469b0000x1e0.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x468f3900xb358.stz2
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x397cad00x28.stz2
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x468f2500x140.stz2
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x1e1c0000x1e8.stz1
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x1017bc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x1030000x86d060x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x18a0000x29f2200x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .pdata0x42a0000x89100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .stz00x4330000x19e87570x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .stz10x1e1c0000x15b80x1600a02bfe14c9cc0e32a78b432faf3b5d26False0.03639914772727273data0.28676784645634273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .stz20x1e1e0000x287c6e80x287c800088f7c02504303bc2901fb1705a7585funknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x469b0000x1e00x200feac13e66ba9bf364628556823f5e154False0.537109375data4.7731123776680375IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_MANIFEST0x469b0580x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143
                                              DLLImport
                                              KERNEL32.dllDeleteCriticalSection
                                              USER32.dllGetWindow
                                              GDI32.dllCreateCompatibleDC
                                              ADVAPI32.dllInitializeAcl
                                              SHELL32.dllShellExecuteA
                                              MSVCP140.dll?_Xbad_function_call@std@@YAXXZ
                                              WININET.dllInternetOpenA
                                              ntdll.dllRtlCaptureContext
                                              CRYPT32.dllCertFreeCertificateChain
                                              WS2_32.dllsendto
                                              PSAPI.DLLGetModuleInformation
                                              bcrypt.dllBCryptGenRandom
                                              USERENV.dllUnloadUserProfile
                                              VCRUNTIME140.dllstrstr
                                              VCRUNTIME140_1.dll__CxxFrameHandler4
                                              api-ms-win-crt-runtime-l1-1-0.dll_errno
                                              api-ms-win-crt-stdio-l1-1-0.dll_lseeki64
                                              api-ms-win-crt-math-l1-1-0.dllceilf
                                              api-ms-win-crt-heap-l1-1-0.dllrealloc
                                              api-ms-win-crt-convert-l1-1-0.dllatoi
                                              api-ms-win-crt-time-l1-1-0.dll_gmtime64
                                              api-ms-win-crt-locale-l1-1-0.dll___lc_codepage_func
                                              api-ms-win-crt-string-l1-1-0.dlltolower
                                              api-ms-win-crt-utility-l1-1-0.dllsrand
                                              api-ms-win-crt-filesystem-l1-1-0.dll_unlink
                                              api-ms-win-crt-environment-l1-1-0.dll_dupenv_s
                                              KERNEL32.dllGetSystemTimeAsFileTime
                                              KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress
                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States
                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 3, 2025 01:27:44.805485964 CET49706443192.168.2.5172.67.133.190
                                              Mar 3, 2025 01:27:44.805567980 CET44349706172.67.133.190192.168.2.5
                                              Mar 3, 2025 01:27:44.805651903 CET49706443192.168.2.5172.67.133.190
                                              Mar 3, 2025 01:27:44.817975998 CET49706443192.168.2.5172.67.133.190
                                              Mar 3, 2025 01:27:44.818022966 CET44349706172.67.133.190192.168.2.5
                                              Mar 3, 2025 01:27:44.925781012 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:44.925797939 CET44349709104.26.1.5192.168.2.5
                                              Mar 3, 2025 01:27:44.925853968 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:44.926233053 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:44.926248074 CET44349709104.26.1.5192.168.2.5
                                              Mar 3, 2025 01:27:45.299290895 CET44349706172.67.133.190192.168.2.5
                                              Mar 3, 2025 01:27:45.299433947 CET49706443192.168.2.5172.67.133.190
                                              Mar 3, 2025 01:27:45.398354053 CET44349709104.26.1.5192.168.2.5
                                              Mar 3, 2025 01:27:45.398483038 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:46.249996901 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:46.250037909 CET49706443192.168.2.5172.67.133.190
                                              Mar 3, 2025 01:27:46.250220060 CET44349709104.26.1.5192.168.2.5
                                              Mar 3, 2025 01:27:46.250241995 CET44349706172.67.133.190192.168.2.5
                                              Mar 3, 2025 01:27:46.250294924 CET49709443192.168.2.5104.26.1.5
                                              Mar 3, 2025 01:27:46.250324965 CET49706443192.168.2.5172.67.133.190
                                              TimestampSource PortDest PortSource IPDest IP
                                              Mar 3, 2025 01:27:44.778094053 CET5570353192.168.2.51.1.1.1
                                              Mar 3, 2025 01:27:44.795491934 CET53557031.1.1.1192.168.2.5
                                              Mar 3, 2025 01:27:44.917201042 CET6116653192.168.2.51.1.1.1
                                              Mar 3, 2025 01:27:44.924709082 CET53611661.1.1.1192.168.2.5
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Mar 3, 2025 01:27:44.778094053 CET192.168.2.51.1.1.10xcff6Standard query (0)download.simpletoolz.funA (IP address)IN (0x0001)false
                                              Mar 3, 2025 01:27:44.917201042 CET192.168.2.51.1.1.10xafc0Standard query (0)keyauth.winA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Mar 3, 2025 01:27:44.795491934 CET1.1.1.1192.168.2.50xcff6No error (0)download.simpletoolz.fun172.67.133.190A (IP address)IN (0x0001)false
                                              Mar 3, 2025 01:27:44.795491934 CET1.1.1.1192.168.2.50xcff6No error (0)download.simpletoolz.fun104.21.14.14A (IP address)IN (0x0001)false
                                              Mar 3, 2025 01:27:44.924709082 CET1.1.1.1192.168.2.50xafc0No error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                              Mar 3, 2025 01:27:44.924709082 CET1.1.1.1192.168.2.50xafc0No error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                              Mar 3, 2025 01:27:44.924709082 CET1.1.1.1192.168.2.50xafc0No error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false

                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:19:27:30
                                              Start date:02/03/2025
                                              Path:C:\Users\user\Desktop\Loader.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\Loader.exe"
                                              Imagebase:0x140000000
                                              File size:42'460'160 bytes
                                              MD5 hash:A577DFB3DC2763F1E6BF0744E42E4060
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Target ID:1
                                              Start time:19:27:31
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:2
                                              Start time:19:27:43
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c cls
                                              Imagebase:0x7ff7fdb60000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:3
                                              Start time:19:27:43
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
                                              Imagebase:0x7ff7fdb60000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:4
                                              Start time:19:27:43
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\certutil.exe
                                              Wow64 process (32bit):false
                                              Commandline:certutil -hashfile "C:\Users\user\Desktop\Loader.exe" MD5
                                              Imagebase:0x7ff68eca0000
                                              File size:1'651'712 bytes
                                              MD5 hash:F17616EC0522FC5633151F7CAA278CAA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:5
                                              Start time:19:27:43
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\find.exe
                                              Wow64 process (32bit):false
                                              Commandline:find /i /v "md5"
                                              Imagebase:0x7ff7a9980000
                                              File size:17'920 bytes
                                              MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:6
                                              Start time:19:27:43
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\find.exe
                                              Wow64 process (32bit):false
                                              Commandline:find /i /v "certutil"
                                              Imagebase:0x7ff7a9980000
                                              File size:17'920 bytes
                                              MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:8
                                              Start time:19:27:44
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\cmd.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                                              Imagebase:0x7ff7fdb60000
                                              File size:289'792 bytes
                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:11
                                              Start time:19:27:45
                                              Start date:02/03/2025
                                              Path:C:\Windows\System32\WerFault.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WerFault.exe -u -p 6468 -s 484
                                              Imagebase:0x7ff68d810000
                                              File size:570'736 bytes
                                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              No disassembly